Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WordPress 4.7.3 Updates for Six Security Issues

The open-source WordPress blogging and content management system fixes six vulnerabilities, including three Cross Site Scripting flaws.

The open-source WordPress blogging and content management system (CMS) released a new incremental version on March 6, providing users with six new security patches and 39 bug fixes. The new WordPress 4.7.3 update is the third security update for WordPress so far in 2017, following the 4.7.2 update on Jan. 26 and the 4.7.1 update on Jan. 12.

Among the patched issues is a flaw that could have enabled control characters to trick redirect validation. There is also a patch for a vulnerability that could have potentially enabled an administrator to delete unintended files. Additionally, WordPress 4.7.3 provides a patch for a Cross Site Request Forgery (CSRF) issue in the Press This quick publishing capability.

The single biggest area of patched vulnerabilities is with Cross Site Scripting (XSS) flaws, accounting for three of the six patched issues in WordPress 4.7.3. One of the XSS vulnerabilities is via media file metadata while another is in taxonomy term names. A third XSS was found in URLs for YouTube video embeds, that was discovered by Marc-Alexandre Montpas, vulnerability researcher at Sucuri.

Montpas explained that the XSS in YouTube video embeds was discovered while Sucuri was researching how a vulnerability patched in the WordPress 4.7.2 update, identified as an unauthenticated content injection in the REST API, could be exploited. That vulnerability was very impactful and enabled attackers to modify the content of pages and posts within unpatched WordPress sites. The issue was so severe, that WordPress did not immediately disclose the vulnerability when WordPress 4.7.2 was first released, in an effort to provide more time for users to update sites.

Further reading

The new XSS in YouTube video embeds vulnerability was discovered by Montpas and Sucuri, when researching how an attacker could pivot from the REST API issue and escalate the potential harm it could do.

"The two bugs combined could've lead to full site compromises," Montpas told eWEEK.

While there is the potential of damage from the new XSS with YouTube video embed XSS issue, Montpas noted that Sucuri has no indication of the vulnerability being used in the wild to attack WordPress sites.

As to why XSS issues continue to be found in WordPress, as well as other types of web applications, there are several reasons.

"The issue with XSS is it's very flexible," Montpas explained. "There are multiple kinds of scenarios in which it can occur and some of them can be very complex."

He added that there really are no "one size fits all" solution to XSS, because it depends both on how the data was processed before being displayed to the user and how it will be processed by client-side scripts.

"It is then very easy to miss one subtle detail, and the odds are this detail is the only thing required for an attacker to bypass the protections in place," Montpas said.

While XSS issues are routinely patched in WordPress, that doesn't mean that WordPress isn't doing the right things to improve security. Montpas noted that the WordPress 4.7 release brought quite a few changes to the platform, which also translates to new potential attack vectors for hackers.

"Even then, with the exception of the REST API bug patched on 4.7.2, it has been a very long time since WordPress had any severe vulnerabilities," Montpas said. "Most of the bugs reported nowadays require a bad actor to have special privileges on the site in order to exploit them, which I think shows the overall state of the project's security did improve. "

WordPress provides an automated update mechanism in a bid to help keep sites patched. WordPress first integrated the automatic update approach back in the WordPress 3.7 release that debuted in October 2013. As such, those organizations that have left the default settings in place for automatic WordPress updates will by now already have the new WordPress 4.7.3 update.